On Wed, Mar 06, 2013 at 12:44:37PM -0500, Paul Wouters wrote:
> On Wed, 6 Mar 2013, Ond?ej Sur? wrote:
>
> >If you want to be compatible with DANE, I would suggest to implement
> >the protocol as is, pretty please.
>
> But since HASTLS seems dead, please interpret "TLSA record present" as
> "don't deliver without TLS"
>
> *ducks*
No need to duck, if DNSSEC serves-up usable TLSA records, then
indeed Postfix won't deliver without TLS. If *all* the records are
malformed or use unsupported parameters, then my reading of DANE
6698 is that one should behave as though no TLSA records were
present. This is based on 6698 #4.1:
If an application receives zero usable certificate associations from
a DNS request or from its cache, it processes TLS in the normal
fashion without any input from the TLSA records. If an application
receives one or more usable certificate associations, it attempts to
match each certificate association with the TLS server's end entity
certificate until a successful match is found. During the TLS
handshake, if none of the certificate associations matches the
certificate given by the TLS server, the TLS client MUST abort the
handshake.
Are you saying that an RRset consisting entirely of unusable TLSA
records should force TLS (to always fail)?
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
